Q&A With Black Hat, DEF CON Founder Jeff Moss

Jeff Moss, consultant and former hacker offers his takes on trends, privacy, machine learning – and why you should always keep your keys in your pocket

The Black Hat professional security conference is under way in Las Vegas through Aug. 6, and several thousand software developers, security administrators, vendors, government operatives, analysts and military officials are communing in Sin City to exchange ideas and sip a brew — or a few.

As soon as Black Hat ends, DEF CON — which attracts some of the above people plus a horde of mysterious hacker-type characters — starts and continues through the weekend, ending Aug. 9.

Both of these celebrated international events were founded by the same man, Jeff Moss also known as The Dark Tangent. Moss is a noted American hacker, computer security and Internet security expert. In 2005 Moss sold Black Hat to CMP Media, a subsidiary of UK-based United Business Media, for a reported $13.9 million. DEF CON was not included in the sale.

Jeff MossMoss is a graduate of Gonzaga University in Spokane, Wash., with a bachelor’s degree in criminal justice. He worked for Ernst & Young in its Information System Security division and was a director at Secure Computing Corp., where he helped establish the Professional Services Department in the United States, Asia, and Australia.

Black Hat and DEF CON

Moss, 40, is currently based in Seattle, where he works as a security consultant for a company that is hired to test other companies’ computer systems. He has been interviewed on issues including the Internet situation between the United States and China, spoofing and other e-mail threats and the employment of hackers in a professional capacity, including in law enforcement.

In 2011, Moss was named Vice President and Chief Security Officer of the Internet Corporation for Assigned Names and Numbers (ICANN), the multinational non-profit organization working for a secure, stable and unified global Internet.

Moss is also a member of the Council on Foreign Relations. The Council on Foreign Relations is an independent, nonpartisan membership organization, think tank, and publisher. In 2009, Moss was asked to join the White House’s Homeland Security Advisory Council.

Moss, who did a personal speaking appearance for Vectra Networks at the RSA Security Conference, and eWEEK’s Chris Preimesberger met earlier this year in San Francisco.

What are the high-level differences between Black Hat and DEF CON?

Black HatDEF CON’s a hacking conference and Black Hat was started four or five years after, so we could have a professional venue. So they grew up differently. I ended up selling Black Hat years ago, but I’m still involved there and consult. But I don’t have the day-to-day stress, of, you know, running it.

What can we expect to find out at Black Hat/DEF CON this year?

A couple things: Like we saw at RSA, there’s more machine learning — those are the new magic crystals that are being sprinkled everywhere. Data analytics; your IDS collects the data and then you use machine learning to get insight. Data analytics has come a long way from its earlier days in the data center. Now, instead of looking at just your network, you look at data sets across 500 networks. Using cloud infrastructure, you’re sharing data sets. That’s what’s adding the value; much richer, contextual data sets. That’s allowing another level of analysis.

Attackers and researchers are using this. Now they can model behavior better; they can do deeper analysis of a program flow. Both sides are using it; it’s a two-edged sword. I think what it will do in the long run is flush out some of the noise.

Defender techniques are getting better and better. We’re at a tipping point where over the next four or five years, the defenders will be sophisticated enough that the more annoying stuff will go away. We will programmatically detect spear-phishing; training employees against social engineering is getting automated and easier. All of this stuff is growing up and breaking out of the one-off niche phase into a consumer-productized area.

Companies like Intel are baking more security into the CPU, and operating system makers like Microsoft, VMware, and Apple are starting to take advantage of the hardware protections. So in this next generation of secure boot, this will mean that your security software can be trusted to be loaded first. If you know how attack and defense works, a lot of times whoever loads first, wins — because they’re in front of the bad guy’s software. If the bad guy loads first, they can lie to the security software.

Security software still has to work, but if you are first, you are no longer are fighting over who wins that race. Good guys can now win that fight, but it’s taken us 15 years to get to a secure boot.

Black Hat and DEF CON have experienced continued growth for more than 20 years. Few sectors see that kind of consistency.

black hat logoBoth conferences reflect the overall industry; there seems to be never-ending growth in interest. Normally we get a few hundred submissions at Black Hat; this year we have almost 600 submissions. Just to review 600 technical submissions is a huge job. We’ve got a review board of 20-plus experts, and it just takes a long time. We’re seeing these submissions diversify; we now see them on Internet of things, car hacking, automation, drones, wireless, satellites, all this machine-learning stuff — on top of all the normal Web-app sec.

The trend of complexity is accelerating. That’s the big trend; the ecosystem is diversified and becoming more complex, which makes it harder and harder for any one person to understand what’s really going on.

The attack surfaces are increasing all the time.

You might need to have five or 10 people in a room to even understand what your exposures are. The access control system is now plugged in, the video surveillance system is plugged in; smart locks, the ticketing system — everything’s getting plugged in. Sometimes they don’t realize that they are inheriting each others’ vulnerabilities.

In the old days, you could get two or three people together and understand what your exposures are. Now, especially with cloud and SaaS, you’re inheriting whole chains of risk that you didn’t even know you were inheriting. If you outsource your email, does your email provider ever tell you when they’re being attacked? They never tell us. Is that because nobody ever attacks them, or because they don’t know? I don’t know the answer to that. Users just figure, ‘I bought it, therefore I assume it is secure.’

Do you realize that you have no Fourth Amendment protection once you outsource something? [The Fourth Amendment to the U.S. Constitution is the part of the Bill of Rights that prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause.] What does your general counsel say to that? I don’t think he knows! Okay then!

I think we’re at a psychological tipping point, where the human way of responding to this onslaught of complexity is that they sort of shut down. I hear people saying: ‘Well, they’re going to get the data anyway,’ or, ‘There’s no such thing as privacy anymore,’ or ‘You can never keep them (hackers) out.’ Well, s–t, if you’re not even going to try, then I guess they win. That dismissive, defeatist attitude — that to me is the most troubling. They’ve accepted the fact that they’ve lost before they’ve even started.

Is data privacy a myth?

No, no. The problem is, much like that defeatist attitude, we’ve just assumed that everybody will already have our private data, so we don’t try. For example, I don’t use Facebook’s app, but I use the Web browser. There I am; I’m having the same experience without giving them access to the microphone and camera on my phone.  I can still see what my friends are up to. You can approach your day-to-day operations in a more private manner if you just think about it.

Consumers have this false choice where they want to participate in the economy, they have to give up a lot of privacy. They’re told that if they do this, they’ll get a lot of value out of it. But I don’t believe they get a lot of value out of it. The companies that do sales and advertising, they get a lot of value out of it.

I think what’s going to happen in privacy is that privacy will improve behind the scenes. Email will be encrypted between Google and Yahoo; so maybe the government can’t snoop, business competitors can’t snoop, but it will be transparent to you. Some of the plumbing of the Internet is going to get more secure.

Companies are encrypting more data all the time, whereas previously it was tedious, complicated and slow to do, and people avoided it if possible. Will this trend continue?

NSA backdoor broken packlock encryption security © keantian ShutterstockThere’s no overhead [in encryption] now. If you’re not encrypting everything now, the question is, why aren’t you? You’re just going to see that trend accelerate. It solves certain problems; if you do data at rest on a laptop, you won’t freak out as much if you laptop gets stolen. Same thing with phones. Risk managers, lawyers like that. I think what’s going to happen is that once it starts becoming encryption in motion versus encryption of data at rest, that’s where it gets a little more complicated, but it’s still doable.

On a scale of 1 to 10 [with 10 being the highest importance], it’s about a seven. Having the right employee mix is more important; if you have the right employees you can make the right decisions, buy the right technology … having the right people is the most critical thing, because everything flows from them.

Will big data-based risk assessment projections — of employees, customers, partners and so on — through data analytics continue to get traction as a major security tool?

This is just another tool for managers to use. The question is: What is the manager going to do with it? He can sit around and have a beer and get to know his people, or you can sit at a console and read a report. Would you rather have your boss get to know you, know you’re under pressure, or read a report?

How do you spend your time now: consulting, working for a company, working for yourself?

Mobile securitySort of all of the above. I volunteer time, I advise some companies, I consult for some companies, I have my own business. I’m involved in various policy groups. It’s difficult to describe what I do now, but as I find that people are getting more and more involved in security, and more importantly in the cyber area, whether it’s about political consequences or the economic or the military, everybody is viewing it through their own lens. And I try to act as a translator from my perspective.

Being in this industry for so long, what does my perspective mean? There’s a lot of self-interest in people in this area because they’re trying to sell you something. So generally my value is I’m not trying to sell you anything, and that allows me to have interesting conversations — it just doesn’t allow me to make any money! (laughs)

I interviewed (well-known ’90s hacker and now consultant) Kevin Mitnick recently. Do you know Kevin? He’s now running his own consulting firm in L.A.

Yes, I know Kevin.  I don’t hang out with him much, but I see him at the cons, and he and I are friends.

He’s doing speaking (engagements) and a lot of things.  I don’t pursue speaking, but every once in a while I get asked. For example, I’ll be speaking at the NATO Cyber (CyCon) conference in Tallinn, Estonia. That’ll be interesting because that’s not an audience I normally speak to, so I want to learn from that audience, and they want to learn from me. Those are the kinds of things I find interesting. I just came from the GCS 2015 in The Hague, the fourth annual summit on cyber-space. There were like 27 ministers from different countries, and they’re all trying to figure out things like ‘What do we do about vulnerability disclosures?’ ‘What’s considered an active war in cyber?’ ‘What are the norms for international behavior?’ and ‘How do we govern disputes?’

And so they’re working through these big, thorny issues, and it’s nice that they’re starting to have some technical people involved in the conversations; it’s not purely theoretical.

How much of your work now involves the IoT (Internet of things)?

It’s like a subchapter heading underneath ‘We Can’t Manage Our Existing Risks, and Here We’re Adding a Whole New Pile of Risks.’ You could say the same thing for connected automobiles, home automation, or access control systems. The market drivers are going to be so great, and everything’s happening so fast, that we’re just going to have to clean up the mess behind it. We’ve been doing this for so long that it’s too bad that as we approach a new sector that we don’t already have some best practices figured out. The market drivers are like, ‘We’ll figure that out later.'”

The IoT stuff is interesting, because it’s going to have such a long tail: You’ll attach your connected smoke detector and it’ll be there for a decade — you’ll never have to patch it. You may go through four more iPods and five iWatches and six iPhones, and you’re still going to have that one connected smoke detector.

What are one or two of the most common security issues you are asked to help solve?

securityThere’s sort of two modes of consulting: One is management consulting, when I’m asked: ‘Here’s what we’re doing; do you think we’re doing the right thing? What should we be doing? How should we think of risk? How should we think of cyber insurance? How much emphasis do we put on training versus buying products?’ The normal business-reality check.

Or it’s more of a crisis mode, after the fact. ‘We’ve had an incident; help us with hacks; help us find the things that were stolen; help us get the right incident-response team; help us put out the fires,’ essentially. It’s either much more calm and serene, or much more immediate and on fire.

I have to ask you this question: Will we, as enterprises, individuals, organizations and security vendors, ever going to get to the point where we can stop the hackers cold and protect our data completely?

No. I don’t think so, but I don’t think that’s the measure we should be using; 100 percent security is not achievable, so you don’t want to be telling people that’s a valid goal, because otherwise you’re setting yourself up for failure. My dad was a doctor, and he didn’t go into medicine thinking he was going to cure cancer. If he told himself that, he’d go crazy. As security people, we should not be saying we should solve security, because we’re not.

But what we should do is constantly work towards making things better. You know what? I would take 80 percent security, because that means we can focus our attention on that 20 percent. I don’t want to take really smart people and focus on 100 percent, because we’re diluting ourselves.

We’re sort of at the beginning of a stage here, with machine learning, more automated processes, certain things we have centralized in a SaaS or cloud environment, where you can start getting economies of scale, where you can start learning from other sensors. I think in the next four or five years we’ll be flushing out the bulk of the crap (security), and that will leave us with the more challenging, interesting stuff. At least that’s what I hope. I hate having to focus on the same mundane stuff year after year after year — let’s move the needle a bit — and I think we’re starting to see that with machine learning.

Do you still interact with hackers a lot?

Depends on what you mean by “hackers.” If you mean computer criminals, no, I don’t hang out with a lot of computer criminals. If you mean old-school hackers, then yeah, all the time.

What’s your experience interacting with a nation-state or organized crime syndicate?

Normally, if it’s a nation-state, you don’t know it’s a nation-state. They’ll always pretend they’re somebody that they’re not. They work for a company, a different government that the one they’re really with. They often ask general questions, essentially like a reporter — like they’re trying to get advice on where you see things going. They also sniff around and see if you’re available to do work.

Organized crime used to reach out years ago, but organized crime now has their own budgets, their own training, their own infrastructure — they haven’t had to come to the security community or hacking community to get talent for a long time. In the early days, it was interesting; they’d (the crime syndicates) would throw parties and try to recruit you, and then you’d stop and think, ‘Wait a minute, who’s paying for this, what’s going on?’

But then again, you really don’t know — for all you know, it was an FBI sting.

One last question: Tell me something I don’t know about Internet security that I probably should know.

Okay. If someone takes a picture of your keys, they can make a copy of your keys.

Good to know.

Indeed.

Originally published on eWeek

Are you a security pro? Try our quiz!